dynamicnet Posted April 3, 2008 Posted April 3, 2008 Greetings: This past weeked we cleaned up an irs.gov plishing site set up for a H-Sphere provider; and then another clean up Monday evening for yet another customer for the same irs.gov plishing site (dealing with fake refunds to get banking and other private data). For those interested in attacking IP addresses, both attacks came from America Online (AOL): 172.168.217.114 and 172.164.57.71. The attackers appeared to have used google hacking to find OsCommerce administration areas which were not password protected (this was the vulnerability), and then proceeded to upload .help.php which they then used to craft the plishing site. The commonalities between the two plishing attacks included the following: 1. Vulnerability was OsCommerce admin area which had no password protection. 2. Attacker used America Online (AOL) 3. Attacker uploaded .help.php typically in the catalog/images directory 4. Attacker created a directory called matrox which in the images directory that either was a holding place for the plishign directory and files or a holding place for .help.php (one site had a images/mail directory where the plishing site was within. Thanks to http://www.markmonitor.com/ and http://www.castlecops.com/ for their pointing out the plishing and extra thanks to castlecops.com who in their efforts to fight plishing directly attributed the plishing to specifically the oscommerce admin area. For those of you who want to check your own servers for an existing “potential” plish, do the following: cd [to area where your customer's content starts] find . -name '.help.php' –print For those of you who want to check your servers to see if you have a vulnerable osscommerce admin area, please note Nessus at http://www.nessus.org/ has a plugin to check for this and other vulnerabilities. In ending, please make sure your admin area is password protected. Thank you. Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more
web-project Posted April 3, 2008 Posted April 3, 2008 Thank you for you information. America Online (AOL): 172.168.217.114 and 172.164.57.71. most unsecured network in whole world, the spammers & the hackers use AOL ISP Personally, I recommend for all web hosting providers to use the firewall & mod_security protection on their servers as I do, all attack are blocked instantly. Also some firewalls come with utility filtering the traffic looking up to DShield Block List and blocking unwanted dodgy traffic. Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here! 8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself. Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues. Any issues with oscommerce, I am here to help you.
dynamicnet Posted April 3, 2008 Author Posted April 3, 2008 Greetings Alex: mod_security would not help if an administrator was doing something valid. The key was an unprotected admin area where the party involved was using the functions for their intended purpose (granted their own bad ones). A firewall would have been worthless as valid customers can come from AOL. Thank you. Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more
Guest Posted April 3, 2008 Posted April 3, 2008 Attacker created a directory called matrox which in the images directory The images folder should be 775 (the same as the other directories), they probably left it as 777 after uploading images. It is the cause of a lot of hacks on osC sites. You can FTP your images to the server and just save the name in your admin, you do not actually have to use it to upload and so you should never have it 777.
user99999999 Posted April 3, 2008 Posted April 3, 2008 Mans car gets stolen after he left it unlocked and running in a bad neighborhood.
♥FWR Media Posted April 3, 2008 Posted April 3, 2008 Vulnerability was OsCommerce admin area which had no password protection. That's not a vulnerability of oscommerce it is blatant stupidity on the part of the site owner. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
dynamicnet Posted April 3, 2008 Author Posted April 3, 2008 Greetings: May I ask how they should have known better? May I ask why oscommerce does not automatically password protect the admin area during installation? Thank you. Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more
Guest Posted April 3, 2008 Posted April 3, 2008 May I ask how they should have known better? The door on my house does not automatically lock, I have to lock it every night. It is knowledge I have acquired during my lifetime. When I started a web business I did not wait for someone to hack my site, I did my job and learned what needed to be done "before" I started it. Ignorance is not an excuse. Thanks for the nessus link, that looks like a very good program. :thumbsup:
germ Posted April 3, 2008 Posted April 3, 2008 May I ask how they should have known better? Gee, in my install PDF file it says this: You need to .htaccess your /catalog/admin directory so that it is password protected. Youcan use the password manager in your server admin area like cpanel. I suppose when all else fails, READ THE DIRECTIONS. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
digilee Posted April 4, 2008 Posted April 4, 2008 plish plosh splash. 1, Rename your 'admin' folder 2, PASSWORD PROTECT YOUR ADMIN FOLDER 3, If you ignore 1 and 2, don't come on here and complain that 'someone' got into your admin area. Oh, and WTF is a 'plish'? SolarFrenzy Solar powered gadgets at down to earth prices. CheekyNaughty Promoting British Design
Guest Posted April 4, 2008 Posted April 4, 2008 I am very new to this site and joined because I have a problem that I was in hopes this forum could help me with. This is the first section that I have read. In saying that, let me also say this before I ask for help... The way that I see it, Mr. Peter M. Abraham was passing on some very important information, that for myself, I am glad to know. The FLAMES that were sent his way and the reply that began with "GEE, ...." lets me know that some may be smart but if I ask a question, it may very well be something that I read in the instructions but did not really understand what the .htaccess is - DOES THAT MAKE ME STUPID? Mr Abraham, I know now why you have only posted 5 posts to this site. If anyone on this site wishes to help me, I thank you dearly for it. If you just want to build yourself up in your own mind by flaming or trashing me, or belittling me.... please, dont go there because I will fight back and that is a waste of excellent forum time. My Problem: I just loaded osCommerce yesterday. When I went online to check out the site, all of the directional blocks, i.e. "Continue", "Back", "Delete" were severely distorted, so bad, you could not tell what they even were, had the cursor box not displayed it when it rolled over it. Is that something that would be fixable within the program, or best for me to take it off and reload the program? Thanks for listening and should no one wish to help because being new I voiced my opinion in the beginning, I will understand and move on. Thanks
Guest Posted April 4, 2008 Posted April 4, 2008 For Lee - I can only guess what WTF stands for but I guess it is asking <Oh, and WTF is a 'plish'?> please let me offer my first help. Plish is pronounced Fish. and this is the definition - taken from webopedia.com Pronounced “fishing,” the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. It feels good to help someone that doesn't know something understand it. Thanks Lee for giving me the opportunity.
digilee Posted April 4, 2008 Posted April 4, 2008 That's 'phishing' not plishing! http://en.wikipedia.org/wiki/Phishing Glad I could help you! :) SolarFrenzy Solar powered gadgets at down to earth prices. CheekyNaughty Promoting British Design
dynamicnet Posted April 4, 2008 Author Posted April 4, 2008 Greetings: Randy, thank you for your kind words. Please note as a security and server administrator, we do encourage everyone to read the manual, to follow instructions, and so on. However, I also believe that application programmers have a responsibility as well; and if an area of the system should be password protected, then the application should be able to take care of that part of the security. In our case, we did not host the two sites that were plished. Saturday we got an urgent support request about a irs.gov refund plish site, and resolved it tying it to oscommerce. Monday evening we got another urgent support request from a different client who was notified by castlecops who confirmed oscommerce and narrowed it down to an insecure admin area. We then did complementary nessus scans against those two provider’s clusters finding no more oscommerce issues. Since we believe in education and awareness, we did post about this issue here in this forum, WHT, and the H-Sphere community forum. I’m surprised by the attitudes expressed in this forum compared to the other two. I was expecting anything from “we knew about it – old news” to just simple a simple thank you for being concerned about others using oscommerce. I did not expect flames against those who fell or would fall to such criminal activities. In any event, I hope a future version of oscommerce does automatically protect the admin area upon installation, does automatically handle what should be the correct permissions, etc. And in the mean time, I hope we can all educate oscommerce merchants and hosting providers in a loving way to make sure the admin area is password protected, and chmod permissions are no higher than needed. Thank you. Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more
burt Posted April 4, 2008 Posted April 4, 2008 Peter, greetings. if an area of the system should be password protected, then the application should be able to take care of that part of the security. I completely disagree - the onus only should be on the individual to make sure that his/her store is secure. Locking your door is elementary 101 - if these store owners knew anything about business, they would know about Data Protection. I hope that their customers never hear that their details were available to all and sundry! In any event, I hope a future version of oscommerce does automatically protect the admin area upon installation, does automatically handle what should be the correct permissions, etc. Recent versions of osCommerce have a password protection as part of the install procedure. I argued against it when it was first mooted, and I still feel strongly about it now - by implementing this, osCommerce has opened itself up to potential problems in the future should anyone who is in a litagious (is that a word?) mindset get their store hacked.
digilee Posted April 4, 2008 Posted April 4, 2008 Totally agree Burt. If I had a bricks/ mortar store would the building management company be held responsible if I left my back door open and had a break-in that night? I am sure they wouldn't give a flying 'phish'! :) Too many people download OSC and set themselves up as a 'store' when they have no idea of the basic fundamentals of running a business including simple things like making sure no-one can access what they shouldn't and then wonder why they haven't had any sales. SolarFrenzy Solar powered gadgets at down to earth prices. CheekyNaughty Promoting British Design
Guest Posted April 4, 2008 Posted April 4, 2008 Thanks for reminding me that too many people on forums today are more interested in basking in their own "lack of knowledge" than sharing and "LISTENING" when someone that may seem less intelligent (me, in your mind) actually knows what they are talking about. Most everyone, I thought anyways, knew that at http://en.wikipedia.org/wiki/Phishing , anyone can go in and change the meanings, put their own definitions in, etc. In Other Words: Take it with a grain of salt, and the DO ADDITIONAL RESEARCH. Try Googling "Plishing" and you will see where many respectable entries reference "Plishing". As for the references to Mr. Abraham's help in warning us about a gave security threat, if the admin section is not passworded, ... I guess osCommerce really hated to hear that everyone who downloads their software package must be proficient in business and must treat their store software as a physical building. I am sure the new folks that Mr. Abraham was speaking of had a very hard time finding the doors to lock on their computer store. I mean, I would because the building I kelp MY store in, actually had doors to lock. Doesn't that sound stupid - Yes it does. Lee, this is why so many companies have R & D (Research and Development) team to try and discover new ways hackers are getting into our VS (that is Virtual Store). Lee, the intelligent business man that you are, even in the brick store, more intelligent people walked in every day. They were the ones that stole your products when you thought they couldn't. Enough on this. I have looked at other area on this forum where many are trying to actually HELP others. These are the ones that are going to make a difference in the computing world and for osCommerce. Helping make it better. I do not mean anything that I write to down anyone or belittle them. Lee, my friend, do google "Plishing" and highten your knowledge on the subject. Enough forum space wasted and my time wasted on this. Thanks for the knowledge that I received from Mr. Abraham, and Java Roasters - the 777 thing :-) that was very useful info. I will keep it close when I get to that part of the building - After I solve the distorted button problem, that I still have after so much typing. Also, last and final on this - I thank the ones that were No Help At All. I guess a forum needs you too.
digilee Posted April 4, 2008 Posted April 4, 2008 I'm pretty sure you'll be aquainted with this meaning then: http://www.urbandictionary.com/define.php?term=Plish SolarFrenzy Solar powered gadgets at down to earth prices. CheekyNaughty Promoting British Design
Guest Posted April 4, 2008 Posted April 4, 2008 Lee, it's over buddy - BUT again, if you are going to reference something to make your point, research.... maybe Mo Urban might not be such a good place to find quotes from the bible. I just checked and could not find in the 10 translations that I checked ""Christ, he plished all over me...and I couldn't wipe it off until he left the room" anywhere in any of them. Again, google "blueletter bible" and click on their tool search. All translations that you could ever want can be found on that page. Thanks ALL !
digilee Posted April 4, 2008 Posted April 4, 2008 bored now. moving on. SolarFrenzy Solar powered gadgets at down to earth prices. CheekyNaughty Promoting British Design
WedgeCoop Posted April 4, 2008 Posted April 4, 2008 I think the reason the original poster was met with some hostility is because his post came off looking like he was saying OSCommerce is insecure, which is not the case. Store owners who do not secure their site are the problem. To me, his post looked like an advertisement for the links he posted. And rbennett came off looking like a second account made by the original poster. Not saying it is, just saying it looks a little fishy. Bottom line: Follow instructions and put an .htaccess file in your admin section. OSCommerce is secure.
digilee Posted April 4, 2008 Posted April 4, 2008 "Not saying it is, just saying it looks a little fishy." That'll be "Phishy". :) SolarFrenzy Solar powered gadgets at down to earth prices. CheekyNaughty Promoting British Design
dynamicnet Posted April 4, 2008 Author Posted April 4, 2008 Greetings: I apologize if my original post came off as an attack against OsCommerce itself. That is not how it was meant on my part. My post was meant to provide education about password protecting the admin area as well as documenting some of the key points of the plish attack. To those who believe it is up to the merchants to do all of the security, to me that's the same thing as buying a house where the doors ** do not ** have locks and keys; that you have to replace the doors with ones that have a locking mechanism that is desired by the then occupant / buyer. I do believe security on the Net needs to be a way of life for everyone involved -- not just users of software, but also the vendor who makes software. That also goes for hosting providers as well. If hosting providers, software vendors, and software users are all security conscious (not just one party pointing fingers), then we will all benefit from a safer internet. My thanks to Randy, for his kind words, and for http://www.markmonitor.com/ and http://www.castlecops.com/ who participated in finding and pointing out the plishing sites. Thank you. Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more
Guest Posted April 4, 2008 Posted April 4, 2008 I think the reason the original poster was met with some hostility is because his post came off looking like he was saying OSCommerce is insecure, which is not the case. Store owners who do not secure their site are the problem. To me, his post looked like an advertisement for the links he posted. And rbennett came off looking like a second account made by the original poster. Not saying it is, just saying it looks a little fishy. Bottom line: Follow instructions and put an .htaccess file in your admin section. OSCommerce is secure. WedgeCoop - Hi, I am just a new person to this forum. A person that until just a few weeks ago had a simple domain at a reseller telephone company, paying $ 10.00 a month for the service and $ 24.95 for the domain. Then last week I got up the nerve to move that domain to Bluehost. The deals seemed too good to be true but hey, only $ 7.95 for all they offer. I realized more about what they offered after I signed up and have always wanted a estore so I could maybe go with an idea I have had for several years. Within the last few weeks, after moving to BH, I saw and read up on the estores. Mind you, they had to be free because frankly, I cannot afford more than 10.00 a month at this time. That is why I downloaded osCommerce a few nights ago and learned how to install it. It t ook almost all night. I had in the instructions where it said to password the Admin section. I agree with you that it should be common sense, but then "not driving drunk is common sense also, but how many do it? Call them stupid, they say the just get caught up in the night and judgment gets fuzzy. That I think is what happens with "The Store", everything is a learning curve. They have to password everything else that is detrimental to security within osCommerce and the other programs, I saw what Mr. Abraham said as a suggestion to osCommerce - a suggestion to look at it and make that mandatory. It is something that would be nice. The reason I posted what I did, in support of the original post, I was reassured that I needed to make the security of the admin section a priority. I was reassured in what Java Roasters stated about the 777 codes. Maybe the ones of you that already know the osCommerce system inside and out, thinks these were stupid statements, Pleae, don't be so quick to shutdown the flow of simple information for those of us that need it, in hopes of one day making it to where you guys are. WHY DID I POST ON THIS SITE: When I loaded osCommerce, the directional buttons, or whatever they are technically called, "Continue", "Back", "Edit", buttons in the installation of the software, and the beginning of the set up of the store, are all distorted and unreadable and I CANNOT GET ONE PERSON TO STOP ATTACKING AND FLAMING AND ACCUSING, and analyzing the situation to even CONSIDER DOING WHAT THIS FORUM IS NAMED ---- SUPPORTing me with in my problem. You mentioned that Mr. Abraham just looked like he was promoting the company he worked for or owned. I need help, would appreciate help, but not one word has been addressed t me about the problem I am experiencing. YET One of the posters that is a regular poster on here I would guess, with a thousand or so posts, states at the bottom of every post they make "Do not PM your problems to me unless you are willing to pay". Isn't that TROLLING FOR BUSINESS? No, i guess they would say it is just to keep people from asking for free help. NO IT IS TELLING FOLKS, I AM HERE AND WILL GIVE YOU HELP FOR PAY!!!!! Makes nodifference to me, I can't afford to pay right now to anyone, but one day.... I will. Everyone just needs to re-read each of the posts. Read them all for just what is in them. Don't add to them what is not there. Don't take away anything that is there.... and I think you will see that HELP that this forum should be about, for many IS just bully spot. A place they can feel how important they are because THEY KNOW the answers and even if they don't, who the ---- are the pee ons writing, asking for THEIR HELP ANYWAYS!!!! I have waisted over a half a day, non productive time, off and on.... just to try and get this forum to realize .... there are more of us out here that NEED help and worthy of the knowledge you guys have, than you realize. Remember back when you DIDN'T KNOW THE SIMPLER STUFF. That's all I am saying WedgeCoop. I am just a 58 year old man out here that needs help with a osCommerce store that has distorted buttons!!! If anyone cares, or has made it to this part of a long reply, PM me and I will be happy to PM you my store address so you can go on and click on signing up for an acct. There you can see the direction buttons cannot be read - that is what I need a solution to. Then do not continue - the store is just as it was the second I had it installed. Gentlemen, I wish each and everyone of you the best. Please, Please, Please, if you are on this forum, Please be a help to the posts that you answer. Randy
Guest Posted April 4, 2008 Posted April 4, 2008 Digilee - Lee - I just thought about you having the solarfrenzy and the slogan at the bottom of your site. So I googled solarfrenzy and the very first, top, number 1 and 2 replies were: Solar Frenzy - Solar gadgets at down to earth prices Solar Frenzy - Environmental gadgets at down to earth prices. www.solarfrenzy.com/ - 20k - Cached - Similar pages Solar Alarm Clock - Silver / White - Solar Frenzy Solar Alarm Clock - Silver / White (TSC_SAC_SW) - This silver and white solar alarm clock is the first product to be awarded the internationally recognised ... www.solarfrenzy.com/solaralarmclocksilverwhite-p-172.html - 13k - Cached - Similar pages More results from www.solarfrenzy.com » Just wanted to mention that Lee's ad on the bottom of the Five Hundred plus - posts he has made is working too. Google is good to ya Lee. as a passing thought, I would think these were ads.... anyways, unless I am PM'ed This Will Be My Last Post on this topic. Thanks Guys!!!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.